New TamperedChef Attack Uses Weaponized PDF Editor to Steal Sensitive Data and Login Credentials

Cybersecurity researchers at Truesec have uncovered a sophisticated malware campaign distributing a weaponized PDF editor under the guise of “AppSuite PDF Editor.”

This operation, which began on June 26, 2025, involves multiple websites promoting the software as a free utility tool, overlapping with findings from Expel on similar threats like ManualFinder.

The malicious executable, PDF Editor.exe, exhibits heavy obfuscation potentially generated by AI or large language models, with key hashes including MD5 6fd6c053f8fcf345efaa04f16ac0bffe, SHA1 2ecd25269173890e04fe00ea23a585e4f0a206ad, and SHA256 cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c.

Distribution Tactics

Upon execution, the installer prompts a EULA, initiates an HTTP GET request to hxxp://inst.productivity-tools.ai/status/InstallStart?v=1.0.28.0&p=PDFEditor&code=EN-US to signal start, and downloads the core payload from hxxp://vault.appsuites.ai/AppSuites-PDF-1.0.28.exe.

Completion triggers additional GET requests to confirm installation, establishing persistence via a registry key in HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun with arguments like –cm for behavioral control.

Initially appearing benign, the software included mechanisms to poll for updates via a .js file, first noted on VirusTotal submissions as early as May 15, 2025.

However, from August 21, 2025, infected systems received commands activating the TamperedChef infostealer, adding a new registry entry for PDFEditorUpdater with –cm=–fullupdate.

This loads an obfuscated payload into /resources/app/w-electron/bun/releases/pdfeditor.js, enabling various –cm arguments such as –install, –enableupdate, –disableupdate, –fullupdate, –partialupdate, –backupupdate, –check, –ping, and –reboot.

Once activated, TamperedChef employs DPAPI to query browser databases for sensitive data, scans for security products, and terminates browser processes to access locked information like login credentials.

The campaign leverages Google Ads for promotion, with traffic revealing at least five campaign IDs and referrers, indicating a broad reach.

Spanning 56 days before malicious activation aligning closely with typical 60-day ad cycles the threat actors maximized downloads before weaponizing the tool.

Digital signatures on variants come from dubious certificates issued to entities like ECHO Infini SDN BHD, GLINT By J SDN.

BHD, and SUMMIT NEXUS Holdings LLC, BHD, with ECHO Infini’s website appearing generically AI-generated and sharing addresses with other suspicious firms.

Further ties link this to BYTE Media, whose certificates signed unrelated malware like Epibrowser.

Threat Actor History

Investigations trace the actor’s activities back to at least August 2024, involving potentially unwanted programs (PUPs) like OneStart and Epibrowser browsers, bundled with malicious code contacting the same C2 domains as TamperedChef.

Samples of OneStart exhibit similar behaviors, suggesting a pattern of disguising malware as utility tools.

In some installations, an elevate.exe binary recompiled from open-source code by Johannes Passing and signed by ECHO Infini appears alongside PDF Editor, potentially for future privilege escalation, though no executions were observed.

This escalation highlights the actor’s evolving tactics, affecting organizations in Europe through employee downloads.

According to the report, Truesec emphasizes vetting software from unknown sources, as benign tools can rapidly turn malicious. Google has responded helpfully to reports, urging notifications to local CERTs and the company for similar threats.

The campaign underscores risks in ad-driven software distribution, with ongoing variants rendering hash lists non-exhaustive.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!